data protection

This article is written by Abhishek Verma. This article has been edited by Ojuswi (Associate, Lawsikho). 

This article has been published by Sneha Mahawar.

Table of Contents


“Data is the new oil” phrase was coined in 2006 by Clive Humby, a British mathematician and data science entrepreneur. In this digital era, data is the most valuable asset. Data is information whether it is qualitative or quantitative, stored in electronic or physical form. Data plays a vital role in decision-making in almost every sector and at every level when gathered completely and accurately, and corroborated with other relevant data in a timely manner. When properly refined, usable data quickly becomes a decision-making tool allowing companies to react to market forces and enabling them to be proactive and intentional in their decision-making. 

Download Now

As it has been seen, the government used to conduct various surveys to collect data to further formulate policies and take help in important decision-making at various levels. In the same way in the current era, corporates take help from the data collected through tracking the activities of the general public regarding the goods and services they are looking for or what kind of product they might be interested in, upon analyzing certain factors such as their buying habits, age, sex, culture, weather conditions, etc. to make important decisions in marketing their products and services to their relevant target customers.

Organisations need data to have a better understanding of the market, purchasing patterns, the budget of people, and demand for products based on geography, age, and other factors. And now the question arises of what kind of information they look for and how is that information processed and forwarded to those organisations.

Every time we search for anything or browse any website, we become a source of data for companies. Companies not only track our online activities but also sell that data to other relevant companies so that those companies could take the help of those leads and try to convert them into sales.

And certainly, there are many instances where the storage or usage of data becomes immoral or violates the privacy of people. So there arises the need to regulate the usage of data by legislating certain laws or regulations to prevent the violation of the privacy of people.

In this article, we will be focussing on the current status/position of data protection in India by studying and analysing the relevant provisions that regulate the collection, use and disclosure of data and the case laws dealing with the illegal use of data. 

Data protection 

Data protection is the process of safeguarding or protecting data from any kind of unauthorised or illegal use. In other words, data protection is the protection from any sort of use of personal data without the permission of the concerned person whose data is being used, except or otherwise the said data is being used by any competent authority and without any violation of the rights provided under the law. The data protection regulations try to balance the usage of data to be used as a resource and the privacy of individuals.

Concept of data : Indian perspective

Data has been defined differently in different acts, and among such definitions, some are outlined hereunder:

According to Section 2(1)(o) of the Information Technology Act, 2000 (the “IT Act”) “data” means “a formalised representation of concepts, information, facts, knowledge, or instructions that are being processed, is being processed or has been processed in a computer system or computer network, and maybe in any form (including computer printouts, magnetic or optical storage media, punched cards, punched tapes), or stored internally in the memory of the computer.” 

The electronic consent framework issued by the Digital Locker Authority defines ‘data’ to mean “Any electronic information stored by a public or private service provider (such as a government service department, a bank, or a document repository, for example). This could apply to both static and transactional documents. Data, on the other hand, is not limited to electronic information; it also includes information saved in physical forms, such as on a sheet of paper.”

These are not the only definitions that define the scope of data under the Indian legal system, data has been defined in other regulations also which give the same meaning, in other words, they may slightly differ in scope. 

Although India had not been vigilant specifically regarding data protection in the past years, through some landmark judicial pronouncements on the ‘right to privacy’, we can witness some developments in Data Protection in India as privacy is the key element in the concept of ‘Data Protection’.

Judicial pronouncements on privacy : an intrinsic part of data protection

M.P. Sharma and Ors. v. Satish Chandra, District Magistrate, Delhi, and Ors.

In this case, for the very first time, the Hon’ble Supreme Court of India took up the question:

  • Whether the ‘Right to Privacy’ is a fundamental right or not? 
  • Whether a warrant issued under Section 94 and 96(1) of the Code of Criminal Procedure for search and seizure violates the right to privacy of a person.

It was held that:

  • The power of search and seizure is necessary to protect social security and is not in contravention of any of the provisions of the constitution of India. 
  • Also, the right to privacy was not mentioned as a fundamental right by the constitution-makers.

Kharak Singh v. State of Uttar Pradesh and Ors.

In this case, the main questions that arose were: 

  • Whether the right to privacy is inclusive of Article 21?
  • Whether the domiciliary visit at night for surveillance against the accused violates Articles 21 and 19(1)(d) of the Indian Constitution?
  • Was the act of maintaining history sheets of the previously accused person and keeping track of their movements violative of Article 19(1)(d) and 21 of the Indian Constitution?

It was held that:

  • Although in the view of the majority of judges, Article 21 of the Constitution of India does not include any provision for privacy and the right to privacy cannot be considered a fundamental right. 
  • Regulation 236(b) of the UP Police Regulations that authorises Domiciliary visits by the state is unconstitutional as it violates Article 21 of the Indian Constitution.  
  • The court determined that keeping a close eye on a suspect and secretly filming their activities did not obstruct their physical movement and that a psychological barrier to action was not protected under Article 19(1)(d).

Furthermore, it did not violate the suspect’s ‘personal liberty’ as defined by Article 21.

Justice K.S. Puttaswamy (Retd.) and Anr. v. Union of India and Ors.

This case was a landmark judgment by the Hon’ble Supreme Court of India as in this case, it was held that the ‘right to privacy’ is protected or enshrined under Articles 14, 19, and 21 of the Indian Constitution. This case overruled M.P. Sharma and Kharak Singh’s judgment.  

The ‘Aadhar Card Scheme’ was challenged in this case because it violated citizens’ right to privacy by collecting and utilising their biometric information for other purposes. The petitioner stated that the right to privacy is a basic right that should be protected under the Indian Constitution Article 21. In response, the respondents argued that the Constitution merely recognizes personal liberty and that citizens have a limited right to privacy.

The Constitutional bench of nine judges was formed to determine the issue unanimously. The Supreme Court ruled that the right to privacy is integral to the right to life and personal liberty guaranteed by Article 21. It is also a part of the rights protected by Part III of the Indian Constitution. It was also stated that the state has an obligation to preserve the privacy of its residents. As a result, the ‘Aadhar Card Scheme’ was found to have violated residents’ right to privacy.

Citizens can now seek court remedies if their data privacy rights are violated, thanks to this judgment of the Hon’ble Supreme Court. This decision also has ramifications for Indian tech businesses’ norms and laws.

In this light, it is essential to look at regulations that deal with data protection laws in India. The following section highlights a few of these legislations.

Regulations in India for data protection 

Although, there are no such overarching laws that regulate the collection and usage of personal data. But there are certain sections in various Acts that somehow, directly or indirectly, regulate the collection and usage of data.

Among those, we will discuss some hereunder:

Personal Data Protection Bill, 2019 (“PDP Bill”)

This bill was drafted by a panel led by BN Srikrishna, a retired Supreme Court Judge, and was reviewed by a Joint Parliamentary Committee that has already submitted its final recommendation. 

The bill has been deliberated for over two years now.  A total of 188 amendments have been recommended out of which 91 amendments are significant, while others are subject to some minor editing of legal nature in different sections. 

The bill will broaden the scope by providing a comprehensive data protection framework that will apply to all forms of personal data processing, as well as processing activities carried out by both the government and private bodies, including corporations.

Applicability of the PDP Bill

The PDP Bill applies to the processing of personal data by:

(i) The Government;

(ii) Companies Incorporated in India;

(iii) Foreign Companies dealing with the personal data of individuals in India.

This bill not only regulates the data collection and usage of internet-based companies but also brick-and-mortar companies.

The nature of data is regulated by the categories of “data” :

Personal data 

According to the bill, personal data means “data relating to a natural person about an attribute, characteristic, trait, or any other factor that aids in the identification of that person.” The bill also establishes a distinction between Critical and Sensitive Personal Data.

Sensitive personal data 

It includes biometric data, financial data, political affiliations, health data, sexual orientation, transgender status, caste or tribe, religious and sex life, etc.

Critical personal data 

It means any such data which will be notified by the Central Government as critical personal data.

Anonymized data 

It means data that has undergone the process of anonymization.

Offences and punishments under the PDP Bill 

  1. Transferring or processing personal data in violation of the Bill shall be punishable with a fine of Fifteen Crore Rupees or four percent of the annual turnover of the fiduciary, whichever is higher, and;
  2. Failure to undertake a data audit will result in a fine of Rupees. 5 crores or 2% of the fiduciary’s annual turnover, whichever is higher.
  3. Re-identification and processing of de-identified personal data without permission or consent are punishable with an imprisonment of a term which may extend to three years, or fine, or both.

The PDP Bill sets up a Data Protection Authority which may;

  1. Take appropriate steps to protect the interests of individuals;
  2. Prevent misuse of personal data, and;
  3. Ensure compliance with the Bill.

According to the bill, the Data Protection Authority will be composed of a chairperson and six members with experience of at least ten years in the fields of data protection and information technology. Appeal from the orders of the Authority can be filed to an Appellate Tribunal and appeals from the Tribunal will go directly to the Supreme Court.

The Information Technology Act, 2000

The Information Technology Act was enacted to regulate electronic commerce and transactions and to prevent cyber crimes by penalising them. Provisions under the IT Act that deals with the protection of data are mentioned hereunder: 

Section 43. Penalty and compensation for damage to the computer, computer system, etc.

According to this section, if any person uses a computer or computer network without taking the consent of the owner to cause harm then he shall be liable to pay damages to the person so affected by the way of compensation.

Section 43A. Compensation for failure to protect data

This section outlines the obligation upon the body corporates that fail to maintain reasonable security practices and procedures, where they are dealing with or possessing any sensitive personal data or information and thereby causes any kind of wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay compensation to the person who has incurred the loss.  

Section 66C. Punishment for identity theft

This section states the punishment where whoever, dishonestly or fraudulently makes use of the password, electronic signature, or any other unique identification feature of any other person, shall be punished either with imprisonment for a term up to three years or a fine up to rupees one lakh or both. 

Section 66E. Punishment for violation of privacy

This section provides for the punishment stating that whoever, knowingly or intentionally captures, transmits, or publishes a photograph of a person’s private area without their consent, in circumstances that violate that person’s privacy, is punishable by imprisonment for up to three years or a fine of up to two lakh rupees, or both.

Section 72. Penalty for breach of confidentiality and privacy

This section provides that if any person whoever has secured access to any information or any other confidential record without the consent of the person concerned and discloses the same to any other person then he shall be punished with imprisonment for a term up to two years, or with fine up to INR 1,00,000 (Rupees One Lakh), or with both.

Section 72A. Punishment for disclosure of information in breach of lawful contract

This section provides that if any person discloses any kind of personal or confidential information that he has accessed while providing services under the terms of a lawful contract without the permission of the concerned person then he shall be punished with imprisonment which may extend to three years, or with fine which may extend to rupees five lakh, or with both.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 governs and regulates the use of Sensitive Personal data and information and this act applies to every corporate body or any other individual dealing with such sensitive personal data or information. 

Rule 4. Body corporate to provide policy for privacy and disclosure of information

This rule makes it mandatory for the body corporates who are collecting personal information from its users to publish the privacy policy containing all the required provisions on their websites ensuring that it is clear and easily accessible.  

Rule 5. Collection of information

This rule states that a body corporate shall collect any sensitive information only if it is necessary and for a lawful purpose and that too upon approval from the concerned person. Also, the collected information shall not be used for any other purpose. 

Rule 6. Disclosure of information

This rule prohibits the body corporate to disclose any personal or sensitive information collected from a person to any third person without prior permission of the concerned person except any government entity which is working under a lawful act. 

Indian Telegraph Act, 1885

The Indian Telegraph Act, 1885 governs the use of wired and wireless telegraphy, telephones, and other digital data communications. Provisions dealing with the privacy of data are:

Section 24. Unlawfully attempting to learn the contents of messages

This section states that if any person unlawfully learns the contents of any message he may be punished with imprisonment for a term up to one year in addition to the fine mentioned under section 23 of the Act. 

Section 25. Intentionally damaging or tampering with telegraphs

This section is a provision for punishment to the person whoever damages or tampers any part used in a telegraph to prevent the smooth delivery of any message or to commit any other mischief shall be punished with imprisonment for a term which may extend to three years, or with a fine or with both.

Section 26. Telegraph officer or other official making away with or altering, or unlawfully intercepting or disclosing, messages, or divulging purport of signals

According to this section, if any telegraph officer or any person who is not a telegraph officer but has official responsibilities in any office that is utilised as a telegraph office willfully conceals, alters, destroys, or omits to transmit any message or part thereof other than acting in obedience to a lawful order of a government shall be punished by imprisonment for a term of up to three years, or by a fine, or both.

Section 30. Retaining a message delivered by mistake

This section provides that if a person fraudulently retains, willfully conceals, or detains a message that should have been delivered to another person he shall be punished with imprisonment for a term up to two years, a fine, or both.

This list of above-enumerated legislations is not exhaustive, there are other laws also that somehow, directly or indirectly, regulate the collection and usage of data.


Data is used by almost every entity and it has become an essential tool to take important business decisions, when they use the data of any third person they have an obligation not to make any inappropriate or illegal, or immoral use of that data. Although, currently in India, there is no such specific regulation for Personal Data Protection as General Data Protection Regulations (GDPR) in the European Union. But a panel has drafted and proposed a Personal Data Protection Bill in 2019 which was reviewed by a Joint Parliamentary Committee that has already submitted its final recommendations and the bill is now subject to some amendments. Apart from a specific Act for the protection of personal data, there are many other laws that directly or indirectly, regulate the collection, usage and disclosure of personal data. However, there still is a dire need for proper legislation that matches up to the growing pace of requirements in the area of data protection.


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here